Introduce an EventListenerMap class which manages a map of event types that have
one or more listeners connected.

When there is only one event type, it's stored directly on the EventListenerMap
internally, and when more are added it moves to a hash map. It only goes back
from the hash map if all the listeners are removed at once (i.e clear() is called.)

Source/WebCore: ​https://bugs.webkit.org/show_bug.cgi?id=66714
Add webkitPostMessage to allow for adding transferable support.
This adds webkitPostMessage, currently identical to postMessage, which
would later be a vehicle for adding transferable support for messaging.

LayoutTests: ​https://bugs.webkit.org/show_bug.cgi?id=66714
Add webkitPostMessage to allow for adding transferable support.
This adds webkitPostMessage, currently identical to postMessage, which
would later be a vehicle for adding transferable support for messaging.
The tests ensure that webkitPostMessage and postMessage behave identically.

Like GTK, Android depends on harfbuzz as well, so reflect that in
the project file. Furthermore, fix a compile error in PopupListBox.cpp
by explicitly including ctype.h, as isspace otherwise won't be declared.

Assume two rubies between which a narrow text exists, like
"<ruby>x<rt>xxxxxx</rt></ruby>l<ruby>y<rt>yyyyyy</rt></ruby>".
In order to avoid the two rubies overlapping with each other,
this patch overhangs the ruby by no more than half the ruby font
size and no more than half the width of the neighboring text.

fast/ruby/overhang-horizontal-no-overlap1.html: Added. Tests if two rubies do not overlap with each other when a narrow text exists between the two rubies. Split into two test files in order to fit each test result within one page.

fast/ruby/overhang-horizontal-no-overlap2-expected.png: Added.

fast/ruby/overhang-horizontal-no-overlap2-expected.txt: Added.

fast/ruby/overhang-horizontal-no-overlap2.html: Added. Tests if two rubies do not overlap with each other when a narrow text exists between the two rubies. Split into two test files in order to fit each test result within one page.

fast/ruby/overhang-vertical-no-overlap1-expected.png: Added.

fast/ruby/overhang-vertical-no-overlap1-expected.txt: Added.

fast/ruby/overhang-vertical-no-overlap1.html: Added. Tests if two rubies do not overlap with each other when a narrow text exists between the two rubies. Split into two test files in order to fit each test result within one page.

fast/ruby/overhang-vertical-no-overlap2-expected.png: Added.

fast/ruby/overhang-vertical-no-overlap2-expected.txt: Added.

fast/ruby/overhang-vertical-no-overlap2.html: Added. Tests if two rubies do not overlap with each other when a narrow text exists between the two rubies. Split into two test files in order to fit each test result within one page.

When using source-in, destination-in, source-out, or destination-atop a temporary
buffer is created. This buffer only needs to be big enough to cover the intersection
of the path and the canvas. If the area of intersection between the fill and the
canvas is empty the canvas is completely cleared and a temporary buffer is not used.

This change also adds some null checks for failures to create contexts or buffers.

(WebCore::Document::~Document): Added a call to deleteRetiredCustomFonts(), in case the Document
is destroyed before getting a chance to recalc style after custom fonts have been retired.
(WebCore::Document::recalcStyle): Added a call to deleteRetiredCustomFonts() after style recalc.
(WebCore::Document::deleteRetiredCustomFonts): Added. Deletes all previously-retired custom font
data.

The major bug here is that the slow case (which handles shifts of
doubles) doesn't check for negative results from an unsigned shift
(which should be unsigned, and as such can't be represented by a
signed integer immediate). The implementation is also flawed for
shifts by negative shift amounts (treats as shift by zero).

Added a bunch of tests to ensure WebKit does not keep block elements' style when merging paragraphs.
When removing line breaks between <h1>hello</h1>world and hello<pre>world</pre> for example,
we should not be overriding and preserving styles from h1 in the merge paragraph respectively.

This feature was added in ​http://trac.webkit.org/changeset/15557 to
support housingmaps.com. But housingmaps.com no longer needs this hack,
we don't know of other websites that need it, and we don't know of
any other browsers that have implemented this feature.

Configurations/WebProcess.xcconfig: Add an icon in Debug and Release builds. The empty
value for production resulted in WebKit not adding the key to plist at all, which is what
we want (but I don't know if it's a supported feature).
Also, don't copy the icon file to built framework in production builds.

This adds the ability to track intrinsic functions throughout the
host function infrastructure, so that the DFG can easily query
whether or not a call's target is intrinsic, and if so, which
intrinsic it is.

On top of this, it adds Math.abs intrinsics to DFG. Call(Math.abs)
is transformed into ValueToNumber<-ArithAbs nodes. These nodes
then get optimized using the usual tricks.

Also had to make a completely unrelated change to
DateInstanceCache.h in order to fix a preexisting alphabetical
sorting problem in JSGlobalData.h

This results in a big win in imaging-gaussian-blur: 61% faster
than before. The net win on Kraken is around 13%.

Weak handle processing can result in new objects being marked, which
results in new WeakReferencesHarvesters being added. But weak
reference harvesters are only processed before weak handle processing,
so there's the risk that a weak reference harvester will persist
until the next collection, by which time it may have been deleted.

The cached scaledFont needs to be updated on every style set call. It
is not similar to m_style which can get derived from parent's style and
hence will get automatically updated on ancestor's style change. This is
required, otherwise we will maintain stale font list in cached scaledFont
when custom fonts are retired on Document::recalcStyle.

The idea is to create a set of tests which cover frequently used UI actions
and print the average time of these actions.
There are two pilot tests. The common part was extracted into performance-test helper.

MethodCallLinkInfo and StructureStubInfo are now searchable by
bytecodeIndex, so that DFG::ByteCodeParser can use that information
to determine how to optimize GetMethod.

A new node op has been added to DFG: CheckMethod. This is a variant
of GetMethod that has been optimized for the case that GetMethod
always takes the fast path. CheckMethod results in only a very
small amount of code (two loads and two branches in the worst case,
one load and one branch in the best case). CheckMethod behaves as
if it were a constant.

Introduced the notion that a DFG node that is not JSConstant
behaves as a constant. CheckMethod uses this functionality.

This is a 3% speed-up on Kraken, and a small speed-up on V8.
Appears to be neutral on SunSpider.

Created a new LayoutState constructor for the RenderFlowThread. It will
set m_isPaginated to true and force a pageHeight if 1. The actual pageHeight is
not used, because pageLogicalHeightForOffset will actually redirect the call
to RenderFlowThread.

Removed some of the duplicate code that calculated the page logical offset.
Added new methods like logicalPageOffset, pageLogicalHeightForOffset,
pageRemainingLogicalHeightForOffset.

There are still some issues related to incremental layout and different region widths.
Those issues will be addressed in different patches.

Completed the seventh and final level of the refactoring to add finishCreation()
methods to all classes within the JSCell hierarchy with non-trivial
constructor bodies.

JSCallbackObject was missed in previous patches due to the fact that
it's non-obvious (at least to my script) that it is in the JSCell hierarchy, so
this is just a bit of retroactive cleanup.

API/JSCallbackObject.h:

(JSC::JSCallbackObject::create):

API/JSCallbackObjectFunctions.h:

(JSC::::JSCallbackObject):

Source/WebCore:

No new tests.

Completed the seventh and final level of the refactoring to add finishCreation()
methods to all classes within the JSCell hierarchy with non-trivial
constructor bodies.

This consists of moving the finishCreation() method call into the create methods
of the sixth level of the hierarchy as was done in previous patches.

The special cases for JSAudioConstructor, JSOptionConstructor, and JSImageConstructor
were also lumped in and given finishCreation() methods that are called in their
create methods because we are at the end and want to avoid a trivial patch just
for moving their finishCreation() methods from their constructor to their create method.

The bindings generation script was also changed to move the finishCreation() call into the
create methods for descendants of JSWorkerContextBase and JSDOMWindowBase because those base
classes had it removed from their constructors.

When the document width of a page is overflowed, the last line of the page can be
split into the next page. This is the regression caused by r88737. r88737 tried to
fix rounding errors in rendering calculations by expanding and shrinking a page
using one common method, resizePageRectsKeepingRatio(), but overlooked the case where
a document width gets overflowed.

Source/WebCore:

This patch fixes the problem by also using resizePageRectsKeepingRatio() for the case
where the document width gets overflowed.

Test: printing/single-line-must-not-be-split-into-two-pages.html

WebCore.exp.in: Updated the signature of forceLayoutForPagination().

page/Frame.cpp:

(WebCore::Frame::setPrinting): Added a new argument |originalPageSize|, which is an original page size before being expanded or shrunk.

page/Frame.h:

page/FrameView.cpp:

(WebCore::FrameView::forceLayoutForPagination): Uses resizePageRectsKeepingRatio() in the case where the document width gets overflowed.

page/FrameView.h:

page/PrintContext.cpp:

(WebCore::PrintContext::begin): Passes an original page size to setPrinting().
(WebCore::PrintContext::end): Ditto.

Another fix to take care of one last crash when running pause-crash.html.
CACF can't deal with null valueFunctions, so avoid setting it when it doesn't
exist.

This also adds logic to the Windows Hook in LayerChangesFlusher to prevent it
from catching the null pointer exception generated by the pause-crash.html test
before this bug was fixed. Windows was ignoring the exception, so the testcase
would appear to succeed, even though it should have crashed.

This removes the non-speculative JIT and everything that relied on it,
including the ability to turn on DFG but not tiered compilation the,
ability to perform speculation failure into non-speculative JIT code,
and the ability to statically terminate speculation.

Make overflow clipping to border-radius work across layers. This patch makes painting
work but does not attempt to fix hit testing. It also doesn't work when a composited
layer is clipped by a non-composited ancestor.

Add a new ClipRect class (used by ClipRects and RenderLayer) that is basically just tracking
a rect and a border radius taint. At the time we set a clip, if the rectangle is listed
as also being clipped by a radius, then we walk up the layer tree and push those inner border
rounded rect clips for any overflow areas in the containing block chain.

The crash stems from the fact that FillLayer::hasImage would walk over the linked list
of FillLayers and return true if one had an image. This means that hasImage() is true
does not mean that image() is non-NULL on all FillLayers.

rendering/RenderBox.cpp:

(WebCore::RenderBox::paintMaskImages): Simplify the logic by doing the hasImage() check up-front
and properly check image() for each FillLayers. This has the nice benefit of changing the complexity
from O(n2) to O(n), which was what the code expected anyway.

Stole all of the goodness from NonSpeculativeJIT and placed it
in JITCodeGenerator. Left all of the badness (i.e. subtle code
duplication with SpeculativeJIT, etc). This is in preparation
for removing the NonSpeculativeJIT entirely, but having its
goodness available for reuse in the SpeculativeJIT if necessary.

When loading a cached image after a beforeload handler has been
installed on the document, ImageLoader would dispatch both the
beforeload and load events asynchronously in such a way that caused
load to fire first. Since a side effect of firing the beforeload event
is to wire up the CachedImage to its associated RenderImage object,
this work was not done by the time load fired, and scripts that queried
renderer-dependent attributes of the image in an onload handler would
get bogus values in return.

Fix this by ensuring load fires after beforeload in the cached image case.

loader/ImageLoader.cpp:

(WebCore::ImageLoader::updateFromElement): Call setClient() after
dispatching beforeload, since setClient() will dispatch the load event
if the image is cached.

Since ScrollView keeps track of the contents size in ScrollView::m_contentsSize, we never
have to ask the underlying platform scroll view for contents size since it should always just
be equal to m_contentsSize.

The call to reset the multiple form submission bool is pushed down from the mouseDown handler to
handleMousePressEvent(), to include WK2 coverage, similar to keyEvent.

page/EventHandler.cpp:

(WebCore::EventHandler::handleMousePressEvent):
(WebCore::EventHandler::keyEvent): clarified old FIXME comment. Both key events and mouse events
may submit a form multiple times, but the call to reset the handler should probably be in another
abstraction layer.

page/mac/EventHandlerMac.mm:

(WebCore::EventHandler::mouseDown):

Source/WebKit/chromium:

src/WebViewImpl.cpp:

(WebKit::WebViewImpl::mouseDown): Remove call to resetMultipleFormSubmissionProtection() since
it will be made in platform-independent function EventHandler::handleMousePressEvent().

LayoutTests:

New test that simulates mouse clicking submit button twice (which didn't work), as well as using the keyboard twice (which did work).

At the request of the public-script-coord mailing list (specifically Brendan Eich, see​http://lists.w3.org/Archives/Public/public-script-coord/2011JulSep/0360.html), this
patch removes the ability to call a collection (either a NodeList or HTMLCollection,
but not an HTMLAllCollection) as function, a syntax that we adopted to emulate IE.
It is being landed to find out if there are any sites relying on this behavior of WebKit,
or, if it is only used in IE only paths. If we find sites are breaking, it should be rolled
out and we should inform the public-script-coord mailing list.

(JSC::JIT::emitStoreAndMapInt32): New int32 helper function for stores
that can chain their results, which is the common case.

jit/JITArithmetic32_64.cpp:

(JSC::JIT::emit_op_lshift):
(JSC::JIT::emitRightShift):
(JSC::JIT::emit_op_bitand):
(JSC::JIT::emit_op_bitor):
(JSC::JIT::emit_op_bitxor):
(JSC::JIT::emit_op_bitnot):
(JSC::JIT::emit_op_pre_inc):
(JSC::JIT::emit_op_pre_dec): Deployed new function.
(JSC::JIT::emit_op_post_inc):
(JSC::JIT::emit_op_post_dec): Had to reorder these functions so they
computed their result values last, to make them elligible for chaining.

Scripts/webkit2/messages.py: Added constants for the message attributes we support.

(MessageReceiver.parse): Instead of recognizing individual attributes, just stick the
attributes into a set and pass it to the Message constructor.
(Message.init): Changed to take a generic set of attributes instead of individual
attributes.
(Message.has_attribute): Added. Returns true if the message has an attribute.
(message_is_variadic): Renamed from parameter_type_is_variadic. Code came from
Message.init, which set the old message.is_variadic property.

Replace a String member variable in ThreadableWebSocketChannelClientWrapper with Vector<UChar>.

ThreadableWebSocketChannelClientWrapper is derived from ThreadSafeRefCounted. It may be
destroyed on different threads, which will affect String's refcounting. Therefore, classes
derived from ThreadSafeRefCounted must not have a String member variable.

No change in functionality, thus no new tests. WebSocket worker tests
(tests under http/tests/websocket/tests/{hixie76,hybi}/workers/) should keep passing.

websockets/ThreadableWebSocketChannelClientWrapper.cpp:

(WebCore::ThreadableWebSocketChannelClientWrapper::ThreadableWebSocketChannelClientWrapper):
(WebCore::ThreadableWebSocketChannelClientWrapper::subprotocol):
Create a String from Vector<UChar>. Note that String constructor taking an empty vector returns
a null string, not an empty string. We want an empty string in that case, so I had to add
special-case handling for an empty vector.
(WebCore::ThreadableWebSocketChannelClientWrapper::setSubprotocol):
Copy the content of the given String into Vector.

JSCell::toBoolean now manually performs the toBoolean check for objects and strings (where
before it was simply virtual and would crash if its implementation was called).
Its descendants in JSObject and JSString have also been made non-virtual. JSCell now
explicitly covers all cases of toBoolean, so having a virtual implementation of
JSCell::toBoolean is no longer necessary. This is part of a larger process of un-virtualizing JSCell.

Replace QT_GCC_X variables, they have been removed in Qt5. It was
actually wrong to use them because they tell about which GCC version
Qt has been compiled, not the current version of GCC use to build webkit.
I use gcc -dumpversion to get it.

Source/WebKit.pri:

Source/JavaScriptCore:

Use the new GCC_X variables defined in WebKit.pri to replace
the usage of QT_GCC_X.

Use the correct memeber of the CONTEXT struct for the stackpointer for CPU(ARM) and CPU(MIPS).
Only query CONTEXT_INTEGER and CONTEXT_CONTROL, since CONTEXT_SEGMENTS isn't defined for
CPU(ARM) and CPU(MIPS) and the stackpointer is defined in the CONTEXT_CONTROL section for
CPU(ARM), CPU(X86) and CPU(X86_64) and in the CONTEXT_INTEGER section for CPU(MIPS).

Remove the dependency on GraphicsLayer from CCLayerTreeHost.
Move root layer management into the NonCompositedContentHost.
Have WebViewImpl create a NonCompositedContentHost explicitly.​https://bugs.webkit.org/show_bug.cgi?id=67883

Added a pure virtual class CCLayerDelegate which helps to isolate
the chromium compositor from the rest of WebCore, and aids unit
testing by being easily mockable. The compositor layers no longer
directly see instances of GraphicsLayerChromium, instead they use
this interface.​https://bugs.webkit.org/show_bug.cgi?id=67750

Added a ValueToDouble node, which is a variant of ValueToNumber that
hints that it will only be used as a double and never as an integer.
Thus, it turns off integer speculation even if the value profiler
told us that the value source is an int. The logic for converting a
ValueToNumber into a ValueToDouble is found in Propagator.

LayerRendererChromium is owned exclusively by CCLayerTreeHostImpl, so there's no reason to have it be
refcounted. Making it an OwnPtr<> makes the lifecycle for these objects much cleaner and reduces the chance of
introducing accidental reference cycles. This also removes the LayerRendererChromium pointers from CCLayerImpls
since it only needed at draw time.

Tiered compilation avoids invoking the DFG JIT if it finds that value
profiles contain insufficient information. Instead, it produces a
prediction from the current value profile, and then clears the value
profile. This allows the value profile to heat up from scratch for
some number of additional executions. The new profiles will then be
merged with the previous prediction. Once the amount of information
in predictions is enough according to heuristics in CodeBlock.cpp,
DFG optimization is allowed to proceed.

(TestWebKitAPI::didReceiveMessageFromInjectedBundle): Do some basic sanity checks to make sure
the returned data is a valid webarchive.
(TestWebKitAPI::setInjectedBundleClient):
(TestWebKitAPI::didFinishLoadForFrame):
(TestWebKitAPI::TEST): Load simple.html in a WebView. Wait for it to finish loading, and then ask the
injected bundle for the webarchive and check the returned webarchive.

Centered portions of border images don't render correctly. Make the tile scale factor have to be
explicitly passed in and modify paintNinePieceImage to compute it for all sides. The attempts to
implicitly compute the scale for the pattern based off the source and destination rects just don't
work, since the center image rects don't provide the right information to be able to infer the
scale factor.

Reviewed by Sam Weinig.

Reset all the existing fast/borders pixel results to Lion for these changes.

Added a richer set of type predictions, including JSFinalObject, JSString,
object that is not a JSFinalObject or JSArray (ObjectOther), some object
but we don't or care know what kind (SomeObject), definitely an object,
cell that is not an object or JSString, an value that is none of the above
(so either Undefined or Null). Made the propagator and value profiler work
with the new types.

Performance is neutral, because the DFG JIT does not take advantage of this
new knowledge yet.

In the process of writing predictionToString() (which is now considerably
more complex) I decided to finally add a BoundsCheckedPointer, which
should come in handy in other places, like at least the OSR scratch buffer
and the CompactJITCodeMap. It's great for cases where you want to
do pointer arithmetic, you want to have assertions about the
pointer not going out of bounds, but you don't want to write those
assertions yourself.

This also required refactoring inherits(), since the ValueProfiler may
want to do the equivalent of inherits() but given two ClassInfo's.

When destroying an ImageBuffer due to a canvas resize, we weren't clearing the texture ID on the layer,
resulting in future compositor draw calls binding an invalid texture. This results in the test failing and
possibly drawing from a bad texture.

Covered by fast/canvas/setWidthResetAfterForcedRender.html in the GPU configuration.

Completed the sixth level of the refactoring to add finishCreation()
methods to all classes within the JSCell hierarchy with non-trivial
constructor bodies.

This primarily consists of pushing the calls to finishCreation() down
into the constructors of the subclasses of the fifth level of the hierarchy
as well as pulling the finishCreation() calls out into the class's corresponding
create() method if it has one. Doing both simultaneously allows us to
maintain the invariant that the finishCreation() method chain is called exactly
once during the creation of an object, since calling it any other number of
times (0, 2, or more) will cause an assertion failure.

Completed the sixth level of the refactoring to add finishCreation()
methods to all classes within the JSCell hierarchy with non-trivial
constructor bodies.

This primarily consists of pushing the calls to finishCreation() down
into the constructors of the subclasses of the fifth level of the hierarchy
as well as pulling the finishCreation() calls out into the class's corresponding
create() method if it has one. Doing both simultaneously allows us to
maintain the invariant that the finishCreation() method chain is called exactly
once during the creation of an object, since calling it any other number of
times (0, 2, or more) will cause an assertion failure.

JSRun.cpp:

(JSGlueGlobalObject::JSGlueGlobalObject):

JSRun.h:

(JSGlueGlobalObject::create):

Source/WebCore:

No new tests.

Completed the sixth level of the refactoring to add finishCreation()
methods to all classes within the JSCell hierarchy with non-trivial
constructor bodies.

This primarily consists of pushing the calls to finishCreation() down
into the constructors of the subclasses of the fifth level of the hierarchy
as well as pulling the finishCreation() calls out into the class's corresponding
create() method if it has one. Doing both simultaneously allows us to
maintain the invariant that the finishCreation() method chain is called exactly
once during the creation of an object, since calling it any other number of
times (0, 2, or more) will cause an assertion failure.

Added a finishCreation declaration and Moved the finishCreation call into the
create method for all classes except for subclasses of JSWorkerContextBase and
JSDOMWindowBase because those classes are on the next level, and it's easier
to do all of these classes in one fell swoop rather than level by level.
(GenerateHeader):
Added the implementation of the finishCreation method for the classes described above.
(GenerateImplementation):
Also added the finishCreation calls to the autogenerated DOM constructor classes.
(GenerateConstructorDeclaration):
(GenerateConstructorDefinition):

Completed the sixth level of the refactoring to add finishCreation()
methods to all classes within the JSCell hierarchy with non-trivial
constructor bodies.

This primarily consists of pushing the calls to finishCreation() down
into the constructors of the subclasses of the fifth level of the hierarchy
as well as pulling the finishCreation() calls out into the class's corresponding
create() method if it has one. Doing both simultaneously allows us to
maintain the invariant that the finishCreation() method chain is called exactly
once during the creation of an object, since calling it any other number of
times (0, 2, or more) will cause an assertion failure.

Completed the sixth level of the refactoring to add finishCreation()
methods to all classes within the JSCell hierarchy with non-trivial
constructor bodies.

This primarily consists of pushing the calls to finishCreation() down
into the constructors of the subclasses of the fifth level of the hierarchy
as well as pulling the finishCreation() calls out into the class's corresponding
create() method if it has one. Doing both simultaneously allows us to
maintain the invariant that the finishCreation() method chain is called exactly
once during the creation of an object, since calling it any other number of
times (0, 2, or more) will cause an assertion failure.

MediaPlayerPrivateAVFoundationObjC creates a "periodic time observer" not because it wants
periodic callbacks, but because a time observer also fires whenever a seek completes. This is
no longer necessary because it now uses but AVPlayerItem's
-seekToTime:toleranceBefore:toleranceAfter:completionHandler to seek, so seek completions are
always notified.

CachedImage::brokenImage() now returns a pair<Image*, float> where the float
represents the image's scale factor. This is important because currently, the
broken image will either be only 1x or 2x, but a deviceScaleFactor could
theoretically be something different (1.5, 3, etc). So it is not safe to assume
that the image's scale factor is equivalent to the deviceScaleFactor, and
hardcoding 2 for now is lame.

This moves the contents TextureManager over to the CCLayerTreeHost, where it belongs, and adds in a commit path
to make sure that textures are deleted even if the page is not visible. This move also removed the need for
LayerRendererChromium's CCLayerTreeHost pointer, so I removed that as well. That meant moving the
layerTreeAsText() logic over to the CCLayerImpl side, which is where it really belonged anyway.

Regressions in some layout tests from making border/mask/reflection nine-piece-image
parsing match the spec, which allows any of the pieces to be omitted and to also be
specifiable in any order.

When the higher level code suddenly allowed the image slices to be omitted, the fixup
for legacy compatibility for reflections and masks in the parseBorderImageSlice function
no longer happened because that function no longer got called.

The fix is to properly set the defaults to include the "fill" keyword, so the fixup is
applied to the NinePieceImages you create before you ever map anything in from the rules.

This also has the side effect of fixing -webkit-max-box-image-slice to actually dump as
"0 fill" instead of just "0", which is the correct initial value for this property.

We should not instrument frameDestroyed event from within Frame's destructor
since frame's m_page pointer is likely to be 0 by that time and appropriate
instrumenting agent won't be found. As a result, stale frame with its id
end up in the inspector.

This change wipes out frame binding from the inspector upon detach rather
than destroy.

Ensure that the template specialization for HashTraits<String> is always
picked up. (Previously it was possible to include HashSet and String but
not the correct HashTraits, so you would get an inefficient template
instantiation.)

We should not instrument frameDestroyed event from within Frame's destructor
since frame's m_page pointer is likely to be 0 by that time and appropriate
instrumenting agent won't be found. As a result, stale frame with its id
end up in the inspector.

This change wipes out frame binding from the inspector upon detach rather
than destroy + adds an assertion into the inspector agents lookup with 0 page.

When a custom scrollbar is removed from its FrameView, its destruction
can be delayed because of RefPtr maintained in EventHandler class
(m_lastScrollbarUnderMouse). Upon removal, we delete all the scrollbar
parts so that they don't link back to scrollbar. However, because of the
delay, we can have a call to updateScrollbarPart which recreates it.
When scrollbar is getting destroyed, we just check to see if there are
remaining scrollbar parts and if yes, we destroy them.

All the back-end infrastructure exists for this operation. This patch
just adds some UI to the front-end and wires that UI up to the back
end. This exact UI will likely need some more polish, but this should
be a reasonable first cut.

This patch adds ui.MessageBox, which is a light wrapper around jQuery
UI's dialog widget. We then use ui.MessageBox to show status messages
about in-progress rebaselines. As each baseline is downloaded, the
MessageBox updates. This UI replaces our temporary "alert"-based UI.

Using g_list_count() and g_list_nth_data() together on a loop is
inneficient since they're both O(n). Iterate over lists in a saner
way.

DumpRenderTree/gtk/DumpRenderTree.cpp:

(dumpHistoryItem): Reduce the scope for the 'kids' variable, and
iterate on it using g_list_next(). Free the list after done with it.
(dumpBackForwardListForWebView): Instead of appending (which is
expensive in GLists) history items and then iterating from the tail
of the itemsToPrint list, prepend items and walk forwards as usual.
(dumpBackForwardListForAllWebViews): Walk the list in a saner way,
remove the (unneeded) viewList variable.

This required allowing us to check if a constant is double but not
integer, and making the shouldSpeculateInteger() check test for
any hints of doubly-ness in its operands. This also required
changing some terminology: previously "isDouble" often meant
"isDouble or isInt32". Now "isDouble" means exactly what the name
suggests, and "isNumber" means "isDouble or isInt32".

Make sure we set a valid platform cursor in the Cursor::NoDrop case, and add a default
clause that uses the arrow cursor in case another cursor type is added in the future
and we forget to update ensurePlatformCursor().

FrameLoader does ask its DocumentLoader to stop loading subresources before
setting the state to FrameStateCommittedPage. But it does
not check if the the DocumentLoader actually stopped loading before
it changes the state.
Therefore a subresourceLoader can still be active, when we receive the
call to dispatchDidFinishLoad(). This leads to an inconsistent behavior
of the stop/reload actions in QWebPage.
This changeset fixes the inconsistent state by updating the action states
also when frameLoadCompleted() is called.

Testing useCSS, the command previously unsupported by WebKit. Also, we are testing
styleWithCSS accepts anything that is not the boolean false or the string "false" as true.
Furthermore, we test that queryCommandValue/State('useCSS') return boolean false and
queryCommandValue/State('useStyleWithCSS') returns booleans (as opposed to 'true'/'false'
strings)

Null mimetypes are okay for subresources, but as previously discovered
in bug 41082 they were required for main resources. Here we ensure
that they are required for main resources, but we allow null mimetypes
for subresources.

To fix a crash for bad input we never add a null ArchiveResource to the
Archive's subresource collection. It is useless and causes crashes whenever
someone iterates the Archive's subresource collection.

The errant code was added as an optimization in r67804.
This patch reverts that one, as all parties agree that the optimization
doesn't seem worthwhile, and there clearly aren't any tests covering
the special case.

No new tests, as existing tests should cover the remaining call to
|std::stable_sort|.

Replace a String member variable in ThreadableWebSocketChannelClientWrapper with Vector<UChar>.

No change in functionality, thus no new tests. WebSocket worker tests
(tests under http/tests/websocket/tests/{hixie76,hybi}/workers/) should keep passing.

websockets/ThreadableWebSocketChannelClientWrapper.cpp:

(WebCore::ThreadableWebSocketChannelClientWrapper::ThreadableWebSocketChannelClientWrapper):
(WebCore::ThreadableWebSocketChannelClientWrapper::subprotocol):
Create a String from Vector<UChar>.
(WebCore::ThreadableWebSocketChannelClientWrapper::setSubprotocol):
Copy the content of the given String into Vector.

This adds the ability to on-stack-replace (OSR) from code that is
running hot in the old JIT to code compiled by the new JIT. This
ensures that long-running loops benefit from DFG optimization.
It also ensures that if code experiences a speculation failure
in DFG code, it has an opportunity to reenter the DFG once every
1,000 loop iterations or so.

This results in a 2.88x speed-up on Kraken/imaging-desaturate,
and is a pure win on the main three benchmark suites (SunSpider,
V8, Kraken), when tiered compilation is enabled.

The storageTracker singleton may already have been created
through StorageTracker::tracker before initializeTracker
gets called. Update the ASSERT in this case to check that
there is no client for the tracker.

allowing the automatic ref counting to work. This was previous needed when
the ref counting wasn't working but that was fixed in r94986. Note that the
design was to have ref counting since the methods take PassRefPtr and the
class is ThreadSafeRefCounted. (Ideally we have noticed this flaw when
adding in AllowCrossThreadAccess.)
(WebKit::WorkerFileWriterCallbacksBridge::postWriteToMainThread):
(WebKit::WorkerFileWriterCallbacksBridge::postTruncateToMainThread):
(WebKit::WorkerFileWriterCallbacksBridge::postAbortToMainThread):
(WebKit::WorkerFileWriterCallbacksBridge::didWrite):
(WebKit::WorkerFileWriterCallbacksBridge::didFail):
(WebKit::WorkerFileWriterCallbacksBridge::didTruncate):
(WebKit::WorkerFileWriterCallbacksBridge::postInitToMainThread):
(WebKit::WorkerFileWriterCallbacksBridge::dispatchTaskToMainThread):
(WebKit::WorkerFileWriterCallbacksBridge::dispatchTaskToWorkerThread):

The errant code was added as an optimization in r67804.
This patch reverts that one, as all parties agree that the optimization
doesn't seem worthwhile, and there clearly aren't any tests covering
the special case.

No new tests, as existing tests should cover the remaining call to
|std::stable_sort|.

PlatformKeyboardEventEfl uses "Prior" and "Next" to refer to PageUp and
PageDown (which is close to the defines in WindowsKeyboardCodes.h).
However, EventSender was sending "Page_Up" and "Page_Down", so tests
such as editing/input/page-up-down-scrolls.html were timing out due to
the right key down events not being sent.

Since most of the time it will return the same thing as text(), we
initialize it the same way we initialize m_text. The other case (what
would have been generated if no modifiers were pressed) should be
covered by this as well.

As this method is used when handling access keys, tests such as
fast/events/access-key-self-destruct.html should now pass.

Renamed editing/deleting/5390681* to editing/deleting/smart-delete-across-editable-boundaries,
Added doctype/html/body to both tests, and converted smart-delete-across-editable-boundaries-2
to dump-as-markup test in the same style as the first. Also updated results.

Bug 62376 makes all ports use GraphicsContext3DOpenGL and
Extensions3DOpenGL when enabling WebGL.
However, some ports already have their own GC3D implementation.
In QT and chromium, for example, GC3D delegates to GC3DInternal.
So, it would be better to allow each port to decide whether or not
to include files in platform/graphics/opengl.

Guard access to UString::latin1() with USE(JSC) since it is defined in JavaScriptCore/runtime/UString.cpp, which
is currently only compiled in by ports that use JavaScriptCore. This code is currently unreachable in builds so
no change in functionality.

This adds the ability to bail out of DFG speculative JIT execution by
performing an on-stack replacement (OSR) that results in the control
flow going to the equivalent code generated by the old JIT.

This required a number of new features, as well as taking advantage of
some features that happened to already be present:

We already had a policy of storing the bytecode index for which a DFG
node was generated inside the DFG::Node class. This was previously
called exceptionInfo. It's now renamed to codeOrigin to reflect that
it's used for more than just excpetions. OSR uses this to figure out
which bytecode index to use to look up the machine code location in
the code generated by the old JIT that we should be jumping to.

CodeBlock now stores a mapping between bytecode indices and machine
code offsets for code generated by the old JIT. This is implemented
by CompactJITCodeMap, which tries to compress this data a bit. The
OSR compiler decodes this and uses it to find the machine code
locations it should be jumping to.

We already had a mechanism that emitted SetLocal nodes in the DFG graph
that told us the time at which the old JIT would have stored something
into its register file, and the DFG::Node that corresponds to the value
that it would have stored. These SetLocal's were mostly dead-code-
eliminated, but our DCE leaves the nodes intact except for making them
have 0 as the ref count. This allows the OSR compiler to construct a
mapping between the state as it would have been seen by the old JIT
and the state as the DFG JIT sees it. The OSR compiler uses this to
generate code that reshapes the call frame so that it is like what the
old JIT would expect.

Finally, when DFG_OSR is enabled (the default for TIERED_COMPILATION)
we no longer emit the non-speculative path.

This makes sheriffbot whois basically grep the committers list
making it much easier to find a contributor by name.

Unfortunately the current unittests depend on the real committers.py
file, so as we add more eric's to the project, this unittest result will
change. I think that's OK for now. We'll fix it when it breaks.

The changes are tested by compiling and added compile asserts to do some verification as well.

platform/CrossThreadCopier.cpp:

Added some compile asserts to verify various match and non-matches for CrossThreadCopier.

platform/CrossThreadCopier.h:

Added a typedef to convert T* to T, just like the typedef's to remove RefPtr and PassRefPtr.
Added a compile assert to verify that only one of the typedefs did anything.
(CrossThreadCopierBase<false, true, T>::copy): Remove "get" as it is unnecessary.
It shouldn't have been here (PassRefPtr and RefPtr easily and sometimes more efficiently
convert to PassRefPtr without get). Also, a raw pointer doesn't have a get() method.

Modified both the Yarr interpreter and JIT to handle 8 bit subject strings.
The code paths are triggered by the UString::is8bit() method which currently
returns false. Implemented JIT changes for all current architectures.
Tested X86_64 and ARM v7.

This includes some code that will likely change as we complete the
8 bit string changes. This includes the way the raw buffer pointers
are accessed as well as replacing the CharAccess class with a
string interator returned from UString.

Fixed build breakage in testRegExp.cpp due to globalObject construction
changes.

New function willPaintBrokenImage() returns true when there has been an error
loading the image and the broken image icon will be used in its place. This is
necessary since it is possible to have an error loading an image and to NOT use
the broken image icon.

Instead of making NRWT create the symlink, I just made DumpRenderTree smart enough
to resolve the passed in url relative to the absolute url for the test.

I believe this is a better approach than the on used in the Qt and Chromium DRT's
(which resolves the path relative to the built location of the DRT executable)
and we should move this new code into a shared location in a follow-up patch.

This moves the contents TextureManager over to the CCLayerTreeHost, where it belongs, and adds in a commit path
to make sure that textures are deleted even if the page is not visible. This move also removed the need for
LayerRendererChromium's CCLayerTreeHost pointer, so I removed that as well. That meant moving the
layerTreeAsText() logic over to the CCLayerImpl side, which is where it really belonged anyway.

I believe I've fixed the bug in the original patch which prompted the rollout.
The previous patch was using the wrong deadline for the initial read,
subtracting time.time() twice from the deadline value.

The compositor thread needs to create a GraphicsContext3D without
actually making it current. In previous attempts at doing this, we
modified all graphics3D creation to not make the contexts current, but
this prove to be shockingly fragile. Since this is a very
Chromium-specific behavior, this patch makes creationForAnotherThread a
method on the private GraphicsContext3D interface.
GraphicsContext3D::create behaves as usual.

We lack infrastructure to construct an automated test for this today. To test manually, open up a composited
page (like the poster circle), duplicate the tab many times, close all the duplicates, and verify that the
memory use returns to the single tab level.

This patch adds support for handling user-specific protocols.
It allows browsers to intercept and handle non-standard url schemes (such as preferences://)
allowing to load some resource from non-http/file storage, like a tar/zip/eet.

We lack infrastructure to construct an automated test for this today. To test manually, open up a composited
page (like the poster circle), duplicate the tab many times, close all the duplicates, and verify that the
memory use returns to the single tab level.

Added a simple way of generating backtrace on crash
to the web process. The implementation is similar what
we have in DRT. It depends on GNU libc functionality
so it is only enabled where we are running in such an environment.